Digital Edition

SYS-CON.TV
Linux and Security: Forrester Report Flawed, Say Four Top Vendors
Linux and Security: Forrester Report Flawed, Say Four Top Vendors

GNU/Linux vendors Debian, Mandrakesoft, Red Hat, and SUSE have joined together to give a common statement about the Forrester report entitled "Is Linux more Secure than Windows?" - here's the full text, released yesterday:

Despite the report's claim to incorporate a qualitative assessment of vendor reactions to serious vulnerabilities, it treats all vulnerabilities are equal, regardless of their risk to users. As a result, the conclusions drawn by Forrester have extremely limited real-world value for customers assessing the practical issue of how quickly serious vulnerabilities get fixed.

The security response teams of GNU/Linux distributors Debian, Mandrakesoft, Red Hat and SUSE have assisted Forrester in gathering and correcting data about vulnerabilities in their products. The gathered data was used at Forrester for a report that became titled "Is Linux more secure than Windows?". While the Linux vulnerability data that is the basis for the report is considered to be sufficiently accurate and useful, Debian, Mandrakesoft, Red Hat and SUSE, from now on referred to as "We", are concerned about the correctness of the conclusions made in the report.

We believe that it is in the interest of our usership and the OpenSource community to respond to the Forrester report in the form of a common statement:

We were approached by Forrester in February 2004 to help them refine their raw data. Forrester collected data about the vulnerabilities that affected Linux during a one year period and looked at how many days it took us to provide fixes to our users. Significant efforts have been put in not only making sure that the underlying dataset for the Linux vulnerabilities was correct, but also to articulate the special technical and organisational care taken in the response processes in the professional Open Source security field. This expertise is greatly appreciated by our usership since it adds a high value to our products, but we see that most of this value has been ignored in the methods used for the analysis of the vulnerability data, leading to erroneous conclusions.

Our Security Response Teams and security specialized organisations of respectable reputation (such as the CERT/DHS, BSI, NIST, NISCC) exchange information about vulnerabilities and cooperate on the measures and procedures to react to them. Each vulnerability gets individually investigated and evaluated; the severity of the vulnerability is then determined by each of the individual teams based on the risk and impact as well as other, mostly technical, properties of the weakness and the software affected. This severity is then used to determine the priority at which a fix for a vulnerability is being worked on weighed against other vulnerabilities in our current queue. Our users will know that for critical flaws we can respond within hours. This prioritisation means that lower severity issues will often be delayed to let the more important issues get resolved first.

Even though the Forrester report claims so, it does not make that distinction when it measures the time elapsed between the public knowledge of a security flaw and the availiability of a vendor's fix. For each vendor the report gives just a simple average, the "All/Distribution days of risk", which gives an inconclusive picture of the reality that users experience. The average erroneously treats all vulnerabilities as equal, regardless of the risk. Not all vulnerabilities have an equal impact on all users. An attempt has been made to allocate a severity to vulnerabilities using data from a third party, however the classification of "high-severity" vulnerabilities is not sufficient: The mere announcement of a vulnerability by a particular security organisation does not necessarily make the vulnerability severe - similarly, the ability to exploit a weakness over the network (remote) is often irrelevant to the vulnerability's severity.

We believe the report does not treat the open source vendors and single closed source vendor in the same way. Open Source Software (OSS) is known for its variety and its freedom of choice amongst the standards it defines. Multiple implementations of these standards are typically offered for both desktop and server use, which gives users the freedom to select software based on their own criteria rather than those of the vendor. The openness, transparency and traceability of the source code is added value in addition to the larger variety of software packages available. Finally, the claim that one software vendor had fixed 100% of their flaws during the period of the report should be incentive for a closer investigation of the conclusions the report presents.

signed,

Noah Meyerhans, Debian
Vincent Danen, Mandrakesoft
Mark J Cox, Red Hat
Roman Drahtmueller, SUSE

Additional Information:

Javier Fernández-Sanguino Peña composed a survey in 2001[*] and discovered that it has taken the Debian security team an average of 35 days to fix vulnerbilities posted to the Bugtraq list. However, over 50% of the vulnerabilities where fixed in a 10-days time frame, and over 15% of them where fixed the same day the advisory was released! For this analysis, all vulnerabilities were treated the same, though.

He has rerun the survey based on vulnerabilities discovered between June 1st 2002 and May 31st 2003 and found out that the median value of delays between the disclosure and releasing an advisory including a correction was 10 days (average is 13.5 days). Again, for this analysis advisories were not classified with different priorities.

* http://lists.debian.org/debian-security-0112/msg00257.html
http://people.debian.org/~jfs/debconf/security/data/

About Linux News Desk
SYS-CON's Linux News Desk gathers stories, analysis, and information from around the Linux world and synthesizes them into an easy to digest format for IT/IS managers and other business decision-makers.

In order to post a comment you need to be registered and logged in.

Register | Sign-in

Reader Feedback: Page 1 of 1

It seems to me that there is an analogue between the IT world and biology; If an organism is susceptible to a particular virus then all identical organisms can be affected/infected/destroyed - MS windows/outlook. Diversity however offers a measure of inherent protection - Mandrake/Suse/RedHat etc. they are all Linux and are interoprable (lets make sure that continues ) but are sufficiently diverse so as to present a defence against one version of a virus. Maybe some biologist can correct me on this ( or maybe some MS sponsered empirical study of micro-orgainsms on Mars)

This is all just one big tennis game...

Every time you read something that praises Linux and the
Open Source community, it is only a matter of time before Microsoft or one of it's statistic happy puppets come out
with an article, statement or press release to slander
and spread FUD around Linux.

If someone finds and publicizes a Windows security a flaw,
it is only a matter of hours before someone follows up with
a Linux bashing statemtent.

I guarantee if no-one ever found anything to bitch about
with Microsoft products, you would never hear any Linux
bashing. (Too bad there's soooooooo much to bitch about
in Microsof's products!)

Microsoft has to draw attention away from it's poorly
written products by slandering other products.
Slander is the only way Microsfot knows how to compete!

Because it certainly can't compete on the merits of
'quality' software!!!!!!
(a word MS should not be allowed to use)

These IT research firms should be very clear, up front, what their financial relationship is with all the parties involved.

According to this article on the Microsoft site:

"In 2003, Microsoft Corporation commissioned Forrester Research, Inc., to conduct a study to measure the potential market of people in the United States who are most likely to benefit from the use of accessible technology for computers."




ADS BY GOOGLE
Subscribe to the World's Most Powerful Newsletters

ADS BY GOOGLE

The question before companies today is not whether to become intelligent, it’s a question of how and...
While some developers care passionately about how data centers and clouds are architected, for most,...
ChatOps is an emerging topic that has led to the wide availability of integrations between group cha...
As DevOps methodologies expand their reach across the enterprise, organizations face the daunting ch...
As Marc Andreessen says software is eating the world. Everything is rapidly moving toward being soft...
You know you need the cloud, but you’re hesitant to simply dump everything at Amazon since you know ...
Is advanced scheduling in Kubernetes achievable?Yes, however, how do you properly accommodate every ...
The cloud era has reached the stage where it is no longer a question of whether a company should mig...
The need for greater agility and scalability necessitated the digital transformation in the form of ...
In his keynote at 18th Cloud Expo, Andrew Keys, Co-Founder of ConsenSys Enterprise, provided an over...
Coca-Cola’s Google powered digital signage system lays the groundwork for a more valuable connection...
In his session at 21st Cloud Expo, Raju Shreewastava, founder of Big Data Trunk, provided a fun and ...
"Since we launched LinuxONE we learned a lot from our customers. More than anything what they respon...
DevOps is under attack because developers don’t want to mess with infrastructure. They will happily ...
"As we've gone out into the public cloud we've seen that over time we may have lost a few things - w...
In his session at 21st Cloud Expo, Michael Burley, a Senior Business Development Executive in IT Ser...
Sanjeev Sharma Joins June 5-7, 2018 @DevOpsSummit at @Cloud Expo New York Faculty. Sanjeev Sharma is...
We are given a desktop platform with Java 8 or Java 9 installed and seek to find a way to deploy hig...
"I focus on what we are calling CAST Highlight, which is our SaaS application portfolio analysis too...
"Cloud4U builds software services that help people build DevOps platforms for cloud-based software a...